Researchers at FireEye revealed more information about how attackers can compromise iOS devices.
Last year, FireEye reported a flaw in iOS that can be exploited in what the firm dubbed the ‘Masque Attack’. In the attack, researchers showed it was possible for hackers to replace legitimate iOS apps with malicious ones via SMS, email or web browsing. In total, the firm notified Apple about five security issues related to four kinds of Masque Attacks. Recently, they pulled the covers further away and went into further detail about how attackers could pull off the attack.
According to FireEye, it was possible to leverage a bypass for the iOS prompt for trust and iOS URL scheme hijacking as part of the attack. While the iOS trust prompt bypass issue was fixed in iOS 8.1.3, the iOS URL scheme hijacking issue remains present.
“By deliberately defining the same URL schemes used by other apps, a malicious app can still hijack the communications towards those apps and mount phishing attacks to steal login credentials,” FireEye researchers Hui Xue, Song Jin, Tao Wei, Yulong Zhang, Zhaofeng Chen noted in a joint blog post. “Even worse than the first Masque Attack, attackers might be able to conduct Masque Attack II through an app in the App Store.”
When the user clicks to open an enterprise-signed app for the first time, iOS asks whether the user trusts the signing party, the researchers explained.
“We find that when calling an iOS URL scheme, iOS launches the enterprise-signed app registered to handle the URL scheme without prompting for trust,” the researchers blogged. “It doesn’t matter whether the user has launched that enterprise-signed app before. Even if the user has always clicked “Don’t Trust”, iOS still launches that enterprise-signed app directly upon calling its URL scheme. In other words, when the user clicks on a link in SMS, iOS Mail or Google Inbox, iOS launches the target enterprise-signed app without asking for user’s “Trust” or even ignores user’s “Don’t Trust”. An attacker can leverage this issue to launch an app containing a Masque Attack.”
By creating and distributing enterprise-signed malware that registers app URL schemes identical to the ones used by popular, legitimate apps, an attacker can hijack the legitimate apps’ URL schemes and mimic their user interface to carry out phishing attacks or other malicious activities, the researchers noted.
According to FireEye, the mechanism of URL scheme handling allows apps from different developers to share the same URL schemes. However, it also means attackers can either publish an “aggressive app” into the App Store, or use enterprise-signed/ad hoc malware that registers app URL schemes identical to those of legitimate apps. By doing so, attackers can mimic a legitimate app’s user interface and carry out login credential theft or steal data meant to be shared between two trusted applications.
“On iOS App Store, the two apps “BASCOM Anywhere Filter Browser” and “Chrome – web browser by Google” both registered the URL schemes “googlechrome://” and “googlechromes://”,” the researchers blogged. “With both apps installed, an iOS 8.1.3 device launches “BASCOM Anywhere Filter Browser” instead of Google’s Chrome browser when the user clicks on a link shown in Safari browser which uses the scheme “googlechrome://” or “googlechromes://”. We’ve also seen 28 App Store apps all registering the URL scheme “fb://”, which is one of the URL scheme registered by the Facebook app. 16 of these 28 apps are not from Facebook. At least 8048 App Store apps register the same URL scheme “fb118493188254996” and many of these apps are from different developers.”
App stores, whether from Apple, Google, or Amazon, are quickly becoming platforms unto themselves, and that makes them viable targets for attack, noted Tim Erlin, director of IT security and risk strategy at Tripwire.
“This attack leverages a point of trusted interaction that Apple seems to have missed, or assessed incorrectly,” he said. “It’s nearly guaranteed that there are more of these points to exploit. We should expect to see follow on efforts from attackers and researchers against Apple and others.”
